The silence of the BoMs: why you don’t know what macOS updates

For some of us, it’s not just nice to know what gets installed on our Macs, it’s essential. It’s normally one of the fundamental requirements for any scheme of security audit, and basic information for advanced users, sysadmins and developers.

For many years, this was maintained in macOS by the Installer app and tool, and Bill of Materials (BoM) files in their receipts. Whenever you installed a macOS update, this wrote an entry into that Mac’s Install History at /Library/Receipts/InstallHistory.plist, and wrote out a pair of files to /System/Library/Receipts, of which the BoM file contained a full transcript of everything that was installed.

Once simple way to access this information is through System Information: select the Installations item in Software and the list there tells you everything that has been recorded in the Install History. What that doesn’t do, though, is detail what was installed. To discover that you’d have to open the respective BoM file in /System/Library/Receipts using the command tool lsbom.

To save you the trouble of having to inspect these opaque files, my free utility SystHist does it all for you. In a window split into three scrollable views, the left and centre list updates recorded in the Install History, and the list at the right those with BoMs in /System/Library/Receipts. For the latter, clicking on the item in the list opens a floating window detailing the contents of that update from its BoM.


That worked well until Apple divided the macOS startup volume in Catalina. The folder /System/Library/Receipts was no longer writable, so moved to /Library/Apple/System/Library/Receipts on the Data volume. When this move took place, all previous BoM files were destroyed, and macOS updates ceased writing receipts, including BoM files. Given that Catalina continued to use the same basic update mechanism as Mojave and earlier, it’s hard to see a good reason for that happening.

This has been perpetuated with the new macOS update mechanism now used in Big Sur and in Monterey. If you’ve installed one of the InstallAssistant presentations of the Big Sur full installer, you will see a BoM for when that installs the full installer app, but nothing from the installation of macOS itself, which flies under the radar now. Some system updates do still lodge proper receipts: Rosetta 2, XProtect and MRT are among the few remaining.

So, if current macOS installers and updaters don’t reveal what they install, why can’t you inspect file attributes and work out from those? That method is blocked because every file and folder on the Big Sur System volume has the same dates of creation and modification, of 1 January 2020 at 08:00, which are obviously false.


This shouldn’t matter, of course, with Big Sur, as the fact that it boots successfully declares that its Sealed System is intact. I’m not quite sure how you’d write that into your audit, and it does leave you completely in the dark as to what has changed in any macOS update. For that, you can only fall back on Apple’s detailed release notes and security notes, which is the reason that listing changes which may seem obscure and of little interest is so much more important now.

This leaves Catalina in an awkward position, though, as it doesn’t benefit from a Sealed System Volume, thus has no means to check the integrity of its system files. Yet its installers and updaters appear to have opted out of the proven receipt system with its BoMs. The more I look back at Catalina, the more grateful I am that we’ll soon be upgrading to Monterey.

Meanwhile, SystHist is available free from here, and I will continue to provide details of what changes in each macOS update no matter how obfuscated they get.